Multi-Stage Payload : Cross Site Scripting Encount'"er

Hi All,This blog post is a description of a Cross Site Scripting I found in a Banking Application while testing it. I cannot disclose the name obviously, so you would have to gain trust on me.Why I am writing a blog post on , "just a XSS", is because i thought this is a bit different from what all we keep finding.There were quite a number of filters and constraints which kept me indulged in it for some time.Restriction 1: Tags were not allowed. If you put any input so that it completes a tag, session gets closed. Point to be noticed, Open tag was allowed.Restriction 2: Whatever stuff you inject with great force, application was reflecting it in Upper case, so dude.. No javascript shit.Restriction 3: Max Length of 35 characters.1 Plus Point: Web application was only accessible in IE.When i started the test, disliked this fact. But by the end, I loved this one.
I was trying with VBscript payloads. But the issue of tags and length based was worst.As there were four input parameters, I thought of breaking my payload into parts and then inject.

I tried with opening the img src in one input, and then using a single quote trick, took the alert part to next input. So that my payloads being1st Payload: "><img src='a2nd Payload: ' onerror=alert(1) size="So that, whatever comes in between 1st payload and second one, it becomes the value of the src attribute. But, it didn't worked. Reason being, there was already a single quote in between the two reflection points which caused the value to be broken in between only.

In place of single quotes, another idea was a pair of /* and */ . but this didn't worked as well.3rd option, CDATA, i.e. a pair of <![CDATA[ and ]]>. But this also didn't worked and I later realised this was a stupid one. How can I give a tag inside a tag. Syntactically wrong. 4th option: To use eval function. so possible payloads: 1st payload: "><IMG SRC=JAVASCRIPT:ALERT(2nd Payload: ) ONERROR=ALERT(1) SIZE="It also didn't worked with an issue. Guess what, javascript is case sensitive.

But this one popped something cool into my mind. Why not use A href with vbscript, already the application was into IE so all potential victims will be using IE only. So i crafted the payloads as :1st payload: "><A HREF="VBSCRIPT:MSGBOX(1)"2nd Payload: ">)AAAAA><A"This time the payload got injected, but didnt gave me any hyperlink on the page except a normal text of "AAAAA". I realized, things were going into two tables, so why not close them using two more parameters. We already have four vulnerable parameters.

Next set of payloads I tried. 1st Payload: "></TABLE b="2nd Payload: "></TABLE b="3rd Payload: "><A HREF="VBSCRIPT:MSGBOX(1)"4th Payload: ">)AAAAA><A"I used the left back values of "value" attribute each time into the tag which I was injecting, i.e. in table of A tag.

If you would like further information on an appropriate IT security course for your business, please do not hesitate to contact simplEtraining today. A representative will be more than happy to answer your questions and assist you with your enquiry. Take action today before it is too late.cyber security training

About the Author

A bike rider, a crazy traveller, a hacker and security professional who can help you get your digital stuff secured. I love every bit of data passing through the wires in your network, to and from your router. But I equally love riding motorcycles in order to learn and understand more about people and myself.
Currently I am on this crazy mission of doing a Road Trip every weekend, Be it 100 Kms or 2000. If you want to join me in for the crime, connect @upgoingstar